I recently came across an interesting LinkedIn post by Daniel J. Solove, the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company.
The post titled, “Boards of Directors Must Grapple with Privacy and Cybersecurity” characterized privacy and cybersecurity as becoming “existential” issues and extolled the need from them to start being addressed at the board level.
It cited research showing that a majority of board members believed that they should be actively involved in cyber security but that only 14% of them were actively involved. It cited another survey showing 32.5% of boards do not receive any information about their organization’s cybersecurity posture and activities whatsoever, and of the 55% that do receive regular reports, 19% receive reports only annually.
The Confluence of Security, Privacy and Trust is an idea whose time has come. Each of these independent components have matured to a level where it can be synthesized with the others to form an integrated whole. This is seen clearly in the healthcare sector, where privacy advocates struggle with security experts over patients’ right of access to their own healthcare record. The security contingent wants to lock down the electronic health record (EHR) and to restrict access to safeguard the time-honored CIA triad (Confidentiality, Integrity and Availability). Privacy advocates feel that such actions limit human freedom, e.g., access to their own health records. And neither side trusts the other. They cannot even agree on a definition of trust, let alone a solution.
Individuals seemingly have more freedom than ever before, but that is an illusion. Their financial and healthcare records and Personally Identifiable Information (PII) are up for grabs. The situation in the financial sector over PII and data protection is similar where users’ privacy and how to protect it is wrought with compliance mandates and confusion confounds. The rival camps are entrenched and seemingly intractable.
We at the Digital Risk Management Institute (DRMI) completely agree with Professor Solove and for several years have championed the need to marry legal frameworks with technology and bridge the silos between privacy and security. To that end we recently released the industry’s first DRM Framework (DRMF) – a consistent, unified approach to measuring and managing digital risk that has the potential to deliver cost efficiencies and greater risk assurance for business processes than the fragmented approach currently in place in most large organizations.
Ancillary to the framework is the notion that a holistic security architecture that must be in place to assemble the fragmented pieces into a whole while avoiding unnecessary and needless complexity induced in the development lifecycle of systems. Implementing security early in the development life cycle could simply start with this holistic security architecture.
Take the software-defined perimeter for example, where the architecture ensures user authentication, mutual secure communications, device validation, dynamic firewalls, application binding all work together to ‘blacken’ the servers providing critical services. Further, adding ‘trust marks’ and integrating those into the architecture to enforce authorization and authentication policies brings us closer to ensuring privacy.
Architectures and solutions to integrate security and privacy are available today. The time has come to foster a new approach and a holistic architecture that engages business units, cyber security, risk officers, and achieves board level visibility.
I’d love to hear your thoughts about this confluence. Also, we hope you will consider joining us as a member of the DRM Institute. Visit this DRM Institute page to become a General Member. Once you are a General Member you can join the General Member LinkedIn group and also apply for Charter Member status.